Statement of intent on data protection

08th August 2017

The UK Government has published a ‘statement of intent‘, about its proposed Data Protection Bill, to update the 1998 law on data protection, as announced in the Queen’s speech in June.

The document says that data protection ‘in part relies on organisations adequately protecting their IT systems from malicious interference. It admits that businesses of all sizes and in all sectors face ‘cyber risks’; hence the document notes such schemes as Cyber Essentials, and the recently-formed National Cyber Security Centre (NCSC).

As background, the UK is going ahead with the EU’s GDPR despite the Brexit vote, for one thing because while leaving the EU after the 2016 referendum, the UK is to move over EU law into domestic law. According to the minister responsible Matt Hancock, the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed ‘to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation’. And the Data Protection Bill ‘will allow the UK to continue to set the gold standard on data protection’. Matt Hancock said the Bill will include ‘tougher rules on consent, rights to access, rights to move and rights to delete data’ and the ‘right powers’ for the regulator the ICO.

According to a report for the Department for Culture, Media and Sport (DCMS) by the consultancy London Economics, businesses are not putting in place more security measures in response to the proposed increase in maximum fines under the GDPR (European Union-wide general data protection regulation) from next year; because they’re already taking data security seriously. Consumers care about security of their data, it’s suggested, but trust businesses with their data depending on how well they protect it, not based on any fine (that they might well not be aware of).

This seems to go against the Government’s ‘statement of intent’, that said ‘the increased financial sanctions applicable for data breaches, and the introduction of aggravating and mitigating factors, will result in improved cybersecurity practices in the UK’.

As for those doing the job of data protection, according to the consultants’ report they think that fines for wrong-doing will have little extra impact on data security – because firms already take data security seriously – but, the fines (maybe up to £17m, that is, the equivalent of the EU-set 20m euros or 4pc of an offender’s turnover, compared with the ICO’s limit of £500,000 now, and in practice at most in the lower hundreds of thousands of pounds) may reinforce a security mind set in an organisation. The loss of consumer trust from a data breach is seen as a much larger problem than a fine. The report looked into the benefits from the GDPR to personal data rights. The authors pointed out that trust is difficult to measure. Consumers may lose confidence in a data holder after data loss or other adverse publicity around a company’s handling of consumer data; but again, confidence is hard to quantify.

Security comes in if firms have stronger incentives to keep data secure whether because of fines from the UK regulator the Information Commissioner’s Office (ICO), or a requirement to notify the ICO of a breach (and hence bad publicity). On that point, businesses did raise concerns ‘that new business models might spring up that use access requests (potentially coupled with the threat of erasure) to exert pressure on companies in the wake of a data breach, akin to firms touting for custom for speculative claims in relation to mis-sold payment protection insurance (PPI). Such ‘fishing exhibitions’ could be highly damaging for a firm’s reputation, and there may be direct harm from by follow-on claims against a company that is being fined by the ICO’. Few businesses expect direct, commercial, benefits as a result of GDPR.

DPO role

According to the report, it is widely accepted that having a DPO (Data Protection Officer) does increase the status and priority of data protection within organisations; such as data security, and more generally speaking the quality and accuracy of data. According to the ICO, the role of Data Protection Officers (DPOs) is ‘to inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws; to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits; and to be the first point of contact for supervisory authorities and for individuals whose data is processed’.

James Davies, personal data policy manager at BCS, the Chartered Institute for IT said: “While a lot of questions remain around how some of these proposals will work in practice, this Statement of Intent’s focus on creating more consumer trust in the data economy is very welcome. This trust must ultimately come from consumers feeling that they control who has access to their information. This will develop as consumer understanding of the value of data increases. The public’s current level of understanding over who has access to their data, and what it is being used for is generally low, with many people largely unaware how much of their personal information they are giving away each time they use online products or services. Many of the proposed new measures, such as the need for explicit consent to be gained from the consumer, and the expanded ‘right to be forgotten’, will help to raise the public level of understanding, and are therefore a welcome step.

“An informed public discussion over many of the subjects in the upcoming Bill is timely and welcome. So much could be achieved with the effective sharing of data – from improved consumer services to advances in medical treatments – but this can only happen when individuals understand both the risks and benefits of sharing their data. Armed with that information, they can make an informed choice over their own data enough that they are willing to consciously share it.

“Clearly, an environment in which an informed public can consciously and happily choose to share their information with government and organisations in exchange for improved services or products would be beneficial for society as whole.”